http://securityratty.com/tag/fresno Wed, 20 Feb 2008 22:57:26 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/5b27cd4f47b57d95125f4eac7c9262a2 http://securityratty.com/article/5b27cd4f47b57d95125f4eac7c9262a2 Security Breach

Date Reported:
4/4/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California, Irvine (UCI)

Victims:
"current and former UCI graduate students and medical students"

Number Affected:
"more than 100 identified victims at UCI"

Types of Data:
Tax information

Breach Description:
"April 9 Update: UC Irvine has received more than 100 reports that Social Security numbers have been stolen and used to file fraudulent tax returns to gain refunds."

Reference URL:
University of California, Irvine Identity Theft Alert
Orange County Register

Report Credit:
University of California, Irvine

Response:
From the online sources cited above:

UC Irvine police say 7,000 current or former graduate students could be at risk of identity thieves who already used stolen data to file fake tax returns

Victims are identified as current and former UCI graduate students and medical students.

In most cases, the students have discovered the issue when they electronically submit their federal income tax returns and the Internal Revenue Service informs them that someone has already filed using their name and Social Security number.
[Evan] Wow!  This is a shocking way of finding out that you are a victim.

Police said Friday they don't know how the information was stolen or who is using it.
[Evan] This is almost equally as alarming.  How do you plug a hole if you don't know where it is or if it's even still leaking?

UCIPD sent out a campuswide crime alert March 20 describing the situation and advising students to contact campus police, at 949-824-0073 or (after hours/weekends) 949-824-5223, if they have any information or believe they have been a victim.

To date, an extensive investigation by the university has not identified a security breach on campus.

Extensive full-time resources have been dedicated to the investigation. UC Irvine Police Department, Network & Academic Computing Services, Administrative Computing Services and campus administrative staff have been conducting a thorough investigation.

The only victims of whom UCI is aware are graduate and medical students who were enrolled during the 2006-07 academic year and had GSHIP (Graduate Student Health Insurance Program) insurance.
[Evan] This is a localized group of people, so you would think that this would narrow the source down some.

Students who fall into that category can call the IRS at 1-800-829-1040.

"For the last two weeks, we have been scouring all of our databases and computer systems, but we have not found any leak here" on campus, UCI Police Chief Paul Henisey said.

The thefts appear to be part of a larger national case being investigated by the Internal Revenue Service, Henisey said. IRS agents have been on campus as part of the inquiry, he said. Henisey said the trail leads out of state, but would not comment further to avoid jeopardizing the case.
[Evan] It is good news that the IRS is working with the case too.  I think it is going to take a sound investigation by the IRS to track this down.

Local and federal agencies stand ready to help. File crime reports with:
•    UCI Police Department, 949-824-5223
•    IRS, 1-800-829-1040
•    Social Security Administration, 1-800-772-1213
•    Federal Trade Commission Identity Theft Hotline, 1-877-438-4338
•    Credit reporting agencies (see above)
Students also may wish to call the IRS’ Taxpayer Advocate office, 1-877-777-4778.

The IRS has instructed that after the students have filed a crime report with the UC Irvine Police Department, they should complete a paper copy of their tax return, include a note as to what happened that provides the UCI Police Department report (DR) number, and mail the paper return to the IRS’ Fresno office.

The IRS has reported a significant number of identity theft crimes occurring nationwide, and it is possible that UC Irvine is the victim of one of those criminal enterprises.

the university’s financial aid office is arranging emergency loans in appropriate amounts for current students who face financial hardship by the delay in receiving their income tax refund
[Evan] This seems like really good judgment on the part of the school.

Ensuring data security is one of the most important responsibilities we have to the campus community and a top priority. We continually work to strengthen our information security practices.
[Evan] I really like this statement.  The key concepts in this statement that grab my attention are "top priority" and "continually work to strengthen".  I couldn't agree more.

Student Reaction:
Graduate student Stephanie Casey said she didn't know if her identity was stolen, but she's disturbed that the campus has not been telling students to call the credit agencies and put fraud alerts on their accounts.
[Evan] This statement must have been made without the knowledge that the school has informed students and urged them to call credit agencies.

"All these students don't know how serious it is that their names were sold," Casey said. "UCI is trying to keep it out of the press because it looks horrible for them, but either (an employee) did this or someone they contracted with did this, and they don't want to create mass panic, but this is the kind of thing you should be panicked about."
[Evan] I included these remarks because I do agree that this seems like an inside job based on the limited information we know.

Henisey said outside contractors are being examined as a possible source for the leak, possibly including those involved with health insurance, employment and unions.

UCI appears to be the only campus in the UC system or in Orange County that is having the problem, Henisey said.

Commentary:
This breach is unnerving in the fact that nobody seems to know how it occurred or is occurring.  Victims probably feel helpless and authorities are limited in what they can do to help.  All in all, it seems like the school, police and other investigators have done a good job in identifying the problem and responding to it.  This has to be a significant challenge for them.

Past Breaches:
Unknown

]]> Thu, 10 Apr 2008 08:14:10 +0000 irvine irvine police department police students contact campus police credit agencies credit irvine police medical students University of California Irvine students are hit with mysterious breach http://securityratty.com/article/4b50b16067e6326c756d635c87b5dba1 http://securityratty.com/article/4b50b16067e6326c756d635c87b5dba1 Security Breach

Date Reported:
4/3/08

Organization:
Fresno County

Contractor/Consultant/Branch:
None

Victims:
New parents and babies

Number Affected:
279

Types of Data:
Names and Social Security numbers

Breach Description:
"Fresno County health officials say 279 birth certificate applications that list personal information of Valley babies and their parents are missing after they were mailed to the state. An envelope containing the birth certificate applications arrived at the the state Department of Public Health in Sacramento damaged, but with most of the forms missing."

Reference URL:
The Mercury News
The Fresno Bee

Report Credit:
The Associated Press

Response:
From the online sources cited above:

Fresno County health officials say 279 birth certificate applications that include the Social Security numbers of the babies' parents are missing.
[Evan] Thankfully, these babies do not have Social Security numbers yet, otherwise this adds a whole new dimension.

The state Department of Public Health told the county in February that an envelope containing 378 birth certificate applications from Fresno County had arrived damaged in Sacramento and that most were missing.

The forms contain information about babies born in six San Joaquin Valley hospitals, including their parents' names and Social Security numbers.
[Evan] Again, Social Security numbers used as personal identifiers in a manner that they were never designed for.

State officials called the incident a low risk for identity theft, but parents were notified about the missing forms.
[Evan] I wonder who makes the judgment call that terms this "low risk".  Must be somebody that is well versed in risk management, right?

The Postal Service is searching for the items and trying to figure out where the certified letter was damaged.

Fresno Bee Opinion Column:
The latest screw-up by Fresno County is more evidence of how cavalierly county officials treat the public's sensitive personal information. No wonder identity theft is out of control. Our government, at all levels, is a major contributor to the problem.

Sending this information by mail may not have been the dumbest thing county officials have done lately, but it has to be right up there. Why wasn't this packet sent by courier or some other more secure means?
[Evan] Like encrypted on a CD or transferred over a secure network.

In February, county officials warned thousands of CalWORKs clients that they could be victimized after a laptop computer was stolen.
[Evan] We missed this one on The Breach Blog.  I may have to go back an add it now.

The response by county officials is to shrug off these lapses, and offer the standard response that they don't think anyone has been the victim of fraud because of their negligence. How do they really know?

The security of personal information must have a much higher priority than the Board of Supervisors gives it. The board should be demanding that sensitive information not be put on laptops that can be easily stolen, or bundled up and dropped in the mail -- a packet that can be easily damaged during the mailing process.

Every year, tens of thousands of Californians become identity theft victims. Thieves create new credit card accounts with stolen Social Security numbers, then rack up huge expenditures on the cards before the victims notice.
[Evan] Tens of thousands of victims in California, yet people continue to tag breaches as "low risk".

In the San Joaquin Valley, methamphetamine users are glad that Fresno County doesn't have strong security procedures for personal data. Police tell us that 70% of Fresno's identity-theft cases are committed by meth addicts. They stay up for days finding ways to steal personal financial information.

Fresno County makes it easy for them.

Commentary:
Can you imagine the joy that many of these parents feel in bringing home a new baby boy or girl.  Now imagine some of the joy being taken away because somebody unnecessarily exposed your personal details.  It stinks that terrible security practices have the potential to affect personal lives.

Past Breaches:
Unknown

]]> Mon, 07 Apr 2008 12:07:10 +0000 county sensitive personal information personal information fresno fresno county list personal information security security breach officials New parents exposed in Fresno County lost mail http://securityratty.com/article/662c821c98ea5a31b7ba3df83725eae5 http://securityratty.com/article/662c821c98ea5a31b7ba3df83725eae5 Security Breach

Date Reported:
2/16/08

Organization:
Clovis Unified School District

Contractor/Consultant/Branch:
Systematic Automation*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08, and
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08

Victims:
Employees

Number Affected:
~4,000**

**Over 15,000 total (and counting)

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Computer equipment was stolen from a Clovis Unified School District vendor, Systematic Automation that contained sensitive personal information belonging to employees of the district.  Systematic Automation manages employee benefit information, and the district is the third reported organization affected by the loss.

Reference URL:
CBS Channel 47 News online story
The Fresno Bee online story

Report Credit:
CBS Channel 47 News

Response:
From the online sources cited above:

Clovis Unified School District employees were notified that a computer stolen this week from a Fullerton company contained personal information -- including Social Security numbers -- for about 4,000 district employees.

police do not believe the intent of the burglary was to steal identity information
[Evan] I don't know how you would determine intent based on the limited information available.  At some point in time thieves are going to figure out that there is a heckuva lot more to gain by using the stolen information than there is in the pawning off the hardware.

Fullerton police say the computers are password protected but that doesn't mean the code can't be cracked
[Evan] This is very true.  Most Windows passwords can be bypassed in less than five minutes.

the district has recommended that employees establish fraud alerts on their credit files

The district also held two fraud-prevention seminars for employees Wednesday, with seven more planned during the next week.

Employee information for Clovis Unified and 15 other organizations was jeopardized when Systematic Automation of Fullerton was burglarized about 4:30 a.m. Monday.
[Evan] Wow.  15 organizations and their employees are at risk due to one breach.  We know of at least three; Clovis Unified School District, Los Angeles Department of Water and Power ("DWP"), and Modesto City Schools.

District employees were alerted in an e-mail about 3:30 p.m. Tuesday
[Evan] Quick notification.  This was a good decision on the part of district management

The stolen computer contained Clovis Unified employee names, addresses and salaries, as well as Social Security numbers. It did not contain birth dates or other personal information.

Systematic Automation handles the online benefits enrollment for Clovis Unified employees and publishes information on what benefits each employee receives
[Evan] Might need to change "handles" to "handled".  I wonder how this single breach affects Systematic Automation's business viability.

The police believe the computers contained tens of thousands of pieces of information.

Commentary:
What is there to say that hasn't already been said in the two previous postings?  Did any of the 15 organizations audit Systematic Automation's information security practices?

Past Breaches:
Clovis Unified School District:
Unknown
Systematic Automation:
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Wed, 20 Feb 2008 22:57:26 +0000 district district employees school district district management school district vendor school district employees employees sensitive personal information personal information Clovis Unified School District employees receive notice